b'       U.S. House of Representatives\n        Committee on Ways and Means\n          Subcommittee on Oversight\n        Subcommittee on Social Security\n\n\n\n\n            Statement for the Record\n\n    Hearing on Identity Theft and Tax Fraud\n\n\n    The Honorable Patrick P. O\xe2\x80\x99Carroll, Jr.\nInspector General, Social Security Administration\n\n                  May 8, 2012\n\x0cGood morning, Chairman Johnson, Chairman Boustany, Ranking Member Becerra, Ranking\nMember Lewis, and members of both Subcommittees. It is a pleasure to appear before you, and I\nthank you for the invitation to testify today. I have appeared before Congress many times to\ndiscuss issues critical to the Social Security Administration (SSA) and the services the Agency\nprovides to American citizens; earlier this year I testified before the Subcommittee on Social\nSecurity at separate hearings on SSA\xe2\x80\x99s Disability Insurance program and the Death Master File\n(DMF).\n\nToday, we are discussing the Social Security number (SSN) and ways to improve SSN protection\nand guard against misuse, identity theft, and tax fraud. Your Subcommittees have previously\nworked with SSA and the Office of the Inspector General (OIG) to address these issues, but with\nSSN use widespread throughout government programs and financial transactions, and\ntechnology constantly evolving, the threat of SSN misuse and identity theft persists. My office is\nwell aware of the central role that the SSN plays in American society, and part of our mission is\nto maintain its integrity along with other personally identifiable information (PII) within SSA\nrecords. To provide some context, in Fiscal Year (FY) 2011, SSA assigned about 5.4 million\noriginal SSNs, issued 10.9 million replacement cards, and processed more than 1.4 billion SSN\nverifications. The Agency also received about $660 billion in employment taxes related to\nearnings. Protecting the SSN and properly posting employees\xe2\x80\x99 wages is paramount to ensuring\nthe integrity of our personal information.\n\nDespite our efforts as well as those of SSA and the IRS to protect this critical information, we all\nremain targets for identity thieves. The Federal Trade Commission (FTC) estimates that as many\nas 9 million Americans have their identities stolen each year. The number of identity theft-\nrelated incidents on tax returns reached about 248,000 in 2010, about five times more than in\n2008, according to the Government Accountability Office. We in the OIG understand the\nconcern your Subcommittees have for citizens and their families with regard to identity theft, and\nwe investigate as many SSN misuse cases as our resources allow each year. As we pursue these\ncriminal investigations, we have also conducted numerous audits and made recommendations to\nSSA and to the Congress to improve the SSN\xe2\x80\x99s security.\n\nSSN Misuse Investigations\n\nOIG\xe2\x80\x99s primary mission is to protect SSA programs and operations, and the majority of our\ninvestigations are related to SSA program fraud. However, our organization receives thousands\nof allegations of SSN misuse each year; in FY 2011, about 14 percent of all fraud referrals\nreceived involved SSN misuse. It is our experience that investigations into SSN misuse will\noften reveal some form of identity theft. At times, they can also involve Social Security benefit\nfraud and tax fraud that can lead to the recovery of significant government funds.\n\nI would like to share with your Subcommittees some of our most recent cases involving SSN\nmisuse for the purpose of tax fraud:\n\n   \xef\x83\x98 The OIG, the IRS Criminal Investigation Division (CID), the Treasury Inspector General\n     for Tax Administration, and other agencies conducted a joint investigation of several\n     individuals who misused the names and SSNs of approximately 300 residents of Puerto\n                                                 1\n\x0c       Rico so they could file fraudulent tax returns. This scheme caused the IRS to issue more\n       than $2 million in fraudulent tax refunds. A judge sentenced three individuals to between\n       3 months and 30 months in prison, and ordered them to pay restitution of nearly $230,000\n       to the IRS.\n\n   \xef\x83\x98 My office investigated a California woman who used fraudulent SSNs to file Federal\n     income tax returns. The woman applied for and obtained more than 20 Social Security\n     cards, falsely claiming she gave birth to that many children at a Los Angeles hospital in\n     2002. The woman then prepared and filed fraudulent tax returns, claiming multiple\n     dependent deductions for family members and friends. She recently pleaded guilty to\n     theft, fraudulent use of SSNs, and preparing false tax returns. A judge sentenced her to 18\n     months\xe2\x80\x99 incarceration and ordered her to pay restitution of more than $302,000 to the\n     IRS.\n\n   \xef\x83\x98 The OIG, IRS CID, and other agencies investigated two New Jersey men who misused\n     the names and SSNs of victims who used a health-service provider in the area. The men\n     used the victims\xe2\x80\x99 personal information to file false tax returns, improperly claiming about\n     $507,000 in refunds from the IRS. The men pleaded guilty in 2011, and a judge\n     sentenced them to 60 months and 120 months in prison and ordered them to pay\n     restitution of more than $207,000 and about $300,000 to the IRS, respectively.\n\nAs we pursue investigations similar to these, our agents also participate on about 45 SSN misuse\ntask forces throughout the country, which cover mortgage fraud, bankruptcy fraud, and\ndocument and benefit fraud, as well as identity theft.\n\nSSA\xe2\x80\x99s Death Master File\n\nSSA has made significant efforts to improve SSN integrity and encourage individuals to protect\nPII. However, the SSNs of deceased individuals are also vulnerable to misuse. As such, the\npublic release of the DMF raises concerns related to SSN misuse and identity theft, as seen in\nrecent news media reports and evidenced by ongoing legislative efforts. SSA has, on the\nNumident\xe2\x80\x94the Agency\xe2\x80\x99s master database of SSN holders\xe2\x80\x94a record of reported deaths. Because\nof a Consent Judgment in a 1978 Freedom of Information Act (FOIA) lawsuit\xe2\x80\x94Perholtz vs.\nRoss\xe2\x80\x94SSA was required as of 1980 to provide death records that included the SSN, the last\nname, and the date of death of deceased number holders; the result was the creation of the DMF,\nan extract of Numident data. SSA later expanded the DMF to include individuals\xe2\x80\x99 first and\nmiddle name, date of birth, residential state and zip code.\n\nIn November 2011, SSA made changes to the DMF. First, the Agency ceased providing the\ndecedent\xe2\x80\x99s residential state and Zip code. In addition, SSA removed about 4.2 million State\nrecords from the DMF, based on a provision in the Social Security Act prohibiting SSA from\ndisclosing death records the Agency receives through its contacts with the States, except in\nlimited circumstances.\n\nToday, each DMF record usually includes the following: SSN, full name, date of birth, and date\nof death. Therefore, even with SSA\xe2\x80\x99s recent changes, the DMF still contains more information\n                                               2\n\x0cthan required by the Consent Judgment in Perholtz. The file contains about 86 million records,\nand it adds about 1.1 million records each year.\n\nSSA provides the DMF to the Department of Commerce\xe2\x80\x99s National Technical Information\nService (NTIS), a clearinghouse for scientific and technical information, which, in turn, sells the\nDMF to public and private industries\xe2\x80\x94government, financial, investigative, credit reporting, and\nmedical customers. Those customers use the data to verify death and prevent fraud, among other\nuses. SSA also currently distributes all death information it maintains, including State death\nrecords, under agreements with eight government agencies, including the IRS and the Centers for\nMedicare & Medicaid Services. SSA provides this death information to the IRS weekly. SSA\nalso provides IRS a weekly file that includes the names and SSNs of newborns, as well as their\nparents\xe2\x80\x99 names and SSNs.\n\nCriminal Use of Public Death Records\n\nThe DMF has important and productive uses. For example, medical researchers and hospitals\ntrack former patients for their studies; investigative firms use the data to verify deaths related to\ninvestigations; and pension funds, insurance companies, and government entities need to know if\nthey are sending payments to deceased individuals. In addition, the financial community and\nFederal, State, and local governments can identify and prevent identity theft by running financial\nand credit applications against the DMF. However, the form in which the DMF is currently\ndistributed provides opportunity for individuals to misuse SSNs and commit identity theft.\n\nThese OIG investigations show how individuals can use available death data to obtain SSNs and\ncommit fraud:\n\n   \xef\x83\x98 In August 2010, we began investigating about 60 fraudulent retirement benefit claims\n     that used the name, SSN, and date of birth of individuals who died decades ago. We\n     determined that the PII used to file the fraudulent claims was available to the public\n     through a genealogical website. The OIG and other law enforcement agencies identified\n     suspects in the case and executed search and arrest warrants; however, the main suspect\n     took his own life before he was taken into custody. His two accomplices, both relatives of\n     his, were indicted and pled guilty to the charges. A judge sentenced the two individuals to\n     20 months\xe2\x80\x99 and 25 months\xe2\x80\x99 incarceration followed by deportation from the U.S., and one\n     was ordered to pay restitution of more than $145,000 to SSA.\n   \xef\x83\x98 An OIG investigation of a Colorado man revealed that he employed individuals so he\n     could obtain names and SSNs of long-deceased individuals from a genealogical website.\n     The man then fabricated employment records and instructed others to use the obtained\n     names and SSNs and false employment information to create fraudulent tax returns,\n     which were submitted to the IRS online. To determine deceased individuals\xe2\x80\x99 SSNs, the\n     man said he compared data available from the public Internet site with a certain State\xe2\x80\x99s\n     death data. A judge sentenced the man to 46 months in prison for SSN misuse, making\n     false claims, and wire fraud; and ordered him to pay more than $282,000 in restitution to\n     the IRS.\n\n                                                  3\n\x0c       According to news media reports, in December 2011, this genealogical website said it\n       would no longer display the Social Security information for anyone who has died in the\n       last 10 years; the site also said it would place its Social Security Death Index behind a\n       pay wall and only allow access to the index to family history researchers.\nThe Congress has recognized the seriousness of this issue, as current bills for consideration\naddress access to the DMF. In November 2011, Chairman Johnson and several members of the\nSubcommittee on Social Security introduced the Keeping IDs Safe Act, which would end the sale\nof the DMF. The bill would help protect the death data of all number holders. My office also\nsupports an exemption to the bill that would allow government and Federal law enforcement\nagencies\xe2\x80\x94like the OIG\xe2\x80\x94to access the DMF to combat fraud.\n\nReviews and Recommendations\n\nThe OIG recognizes that limiting or discontinuing the DMF\xe2\x80\x99s availability is ultimately a\nlegislative and policy decision for the Congress and SSA to make. Even so, my office has long\ntaken the position that to the extent possible, SSA should limit public access to the DMF that\nrequired by law, and take all possible steps to ensure its accuracy. We have made several\nrecommendations to this effect.\n\nOur March 2011 report, Follow-up: Personally Identifiable Information Made Available to the\nPublic via the Death Master File, examined whether SSA took corrective actions to address\nrecommendations we made in a June 2008 report on the DMF. In the June 2008 report, we\ndetermined that, from January 2004 through April 2007, SSA\xe2\x80\x99s publication of the DMF resulted\nin the potential exposure of PII for more than 20,000 living individuals erroneously listed as\ndeceased on the DMF. In some cases, these individuals\xe2\x80\x99 PII was still available for free viewing\non the Internet\xe2\x80\x94on ancestry sites like genealogy.com and familysearch.org\xe2\x80\x94at the time of our\nreport.\n\nIn the March 2011 report, we found SSA did not take actions on two of our recommendations.\nSSA did not implement a delay in the release of DMF updates, as the Agency indicated that\npublic and private organizations rely on the DMF to combat fraud and identity theft. According\nto SSA, those organizations must have immediate and up-to-date information to be effective. The\nAgency also did not attempt to limit the amount of information included on the DMF, and it did\nnot explore alternatives to the inclusion of an individual\xe2\x80\x99s full SSN, citing the Perholtz consent\njudgment and potential litigation under FOIA. SSA added that a deceased individual does not\nhave a privacy interest, according to FOIA.\n\nOur follow-up audit work indicated that between January 2008 and April 2010, SSA published at\nleast 35,000 living numberholders\xe2\x80\x99 PII in the DMF. According to SSA, there are about 1,000\ncases each month in which a living individual is mistakenly included in the DMF. SSA said that\nwhen the Agency becomes aware it has posted a death report in error, SSA moves quickly to\ncorrect the situation, and the Agency has not found evidence of past data misuse. However, we\nremain concerned about these errors, because erroneous death entries can lead to benefit\ntermination and cause severe financial hardship and distress to affected individuals. We also\nhave concerns that DMF update files, some with the SSNs of living individuals, are a potential\n                                                4\n\x0csource of information that would be useful in perpetrating SSN misuse and identity theft. DMF\nupdates can reveal to potential criminals the PII of individuals who are still alive.\n\nLegislative Efforts\n\nWe support the prior bipartisan legislative efforts of these Subcommittees to limit the use,\naccess, and display of the SSN in public and private sectors, and to increase penalties against\nthose who misuse SSNs. Most recently, the Subcommittee on Social Security introduced the\nSocial Security Number Privacy and Identity Theft Prevention Act of 2009. This legislation\nincluded new criminal penalties for the misuse of SSNs; criminal penalties for SSA employees\nwho knowingly and fraudulently issue Social Security cards or SSNs; and enhanced penalties in\ncases of terrorism, drug trafficking crimes, or prior offenses.\n\nThe legislation would also expand the types of activities that are subject to civil monetary\npenalties (CMPs) and assessments under Section 1129 of the Social Security Act. Currently, an\nindividual who misuses an SSN is not subject to a CMP, except in cases related to the receipt of\nSocial Security benefits or Supplemental Security Income. The legislation would authorize the\nimposition of CMPs and assessments for activities such as providing false information to obtain\nan SSN, using an SSN fraudulently obtained, or counterfeiting an SSN.\n\nThe expanded use of the SSN in today\xe2\x80\x99s society has made it a valuable commodity for criminals.\nIn addition to being a lynchpin for identity theft crimes, it also helps an individual assimilate into\nour society, and in some instances, to avoid detection. The importance of SSN integrity to\nprevent identity theft and ensure homeland security is universally recognized. Providing\nenhanced, structured penalties is appropriate to reflect the vital importance of the SSN.\n\nCitizens\xe2\x80\x99 Accountability\n\nWhile government agencies such as SSA have controls in place to protect the SSN and other\npersonal information, individuals must also take basic preventive steps to protect their own\ninformation from improper use. We urge everyone to keep Social Security cards in a secure\nplace, shred personal documents, and be aware of phishing schemes, because no reputable\nfinancial institution or company will ask for personal information like an SSN via the phone or\nthe Internet. It is also important to protect personal computers with a firewall and updated anti-\nvirus protection.\n\nAdditionally, we should all be judicious in giving out an SSN in business transactions, because\nwhile it is required for some financial transactions, an SSN is not necessary for everyday\ntransactions, like applying for a gym membership. We can monitor our financial transactions and\nregularly check our credit reports from the three major credit bureaus. Concerned citizens may\nalso contact SSA at 1-800-772-1213 if they suspect someone is using their SSN work purposes;\nSSA will review work earnings to ensure its records are correct. Anyone who suspects identity\ntheft should report it to the FTC at 1-877-438-4338; and may need to contact the IRS to address\npotential tax issues. By knowing how to protect ourselves, and actually taking these important\nsteps, we make life much more difficult for identity thieves.\n\n                                                  5\n\x0cConclusion\n\nSSA has a long history of protecting PII, and while current conditions may be the most\nchallenging yet, we are confident SSA will rise to the occasion and address the challenges of\ntoday and tomorrow. Identify theft will undoubtedly persist for years to come, because of the\nreliance on the SSN as a national identifier and advances in technology and communication.\nNevertheless, we are committed to ensuring that the information in SSA\xe2\x80\x99s records remains safe\nand secure.\n\nWhile we support efforts to limit public access to this data through legislative or policy changes\n(such as the Keeping IDs Safe Act), barring such changes, SSA should implement a risk-based\napproach for distributing the DMF, and the Agency should limit the amount of information\nincluded on the DMF. These actions would protect PII and reduce the potential for misuse and\nabuse of SSNs and identity theft.\n\nOur investigators are committed to pursuing SSN misuse and identity theft cases, and our\nauditors will continue to offer recommendations to safeguard the SSN and prevent theft of\ngovernment funds. Finally, we will continue to provide information to your Subcommittees and\nAgency decision-makers about this critically important issue. I thank you again for the\nopportunity to speak with you today. I am happy to answer any questions.\n\n\n\n\n                                                 6\n\x0c'